Created
August 12, 2016 20:13
-
-
Save kees/1ef63a1e55b3e71c3dd8e90e4bebf9cd to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # grsecurity | |
| ## integrated | |
| - PERF_HARDEN - local kernel attack surface reduction, landed as perf_event_paranoid=3 by default in AOSP | |
| - DENYUSB - physical attack surface reduction, tied to screen lock state by default (setting exposes on, off, dynamic) | |
| * DEVICE_SIDECHANNEL - closes time-based sidechannels for device types | |
| ## wanted | |
| * PROC_MEMMAP - likely won't break anything | |
| * HIDESYM - have kptr_restrict, but this plugs additional holes (could just extract them) | |
| * RANDSTRUCT - Unique kernel per-device and also per-version means it wouldn't be useless, but it | |
| could be a lot more useful if there were different release channels per-device. Could rebuild | |
| only the kernel (very quick for Android) to save time, although incremental builds are sketchy. | |
| * KSTACKOVERFLOW | |
| * RWXMAP_LOG - in userdebug builds | |
| ## IDS-related | |
| Features that would likely be useful to a theoretical IDS but not otherwise since there's no | |
| system administrator to review logs and it's not particularly useful for debugging other than the | |
| RWXMAP_LOG feature. | |
| * all of the auditing features | |
| * PROC_IPADDR | |
| ## undecided | |
| * SETXID - would fix the issue in Android's libc, but only the base system uses this and it's | |
| unlikely that this would fix any vulnerabilities - unlike a traditional distribution | |
| * TPE - some functionality is covered by SELinux, but not all - the main issue is compatibility | |
| * BRUTE - Android doesn't use suid/sgid binaries, might be useful for Chromium but could be implemented there | |
| * NO_SIMULT_CONNECT | |
| * PTRACE_READEXEC | |
| * HARDEN_PTRACE - more than SELinux can do but new kernels have stackable ptrace_scope based on it | |
| * FIFO - not sure if Android apps can even use FIFOs, should investigate this | |
| * HARDEN_TTY | |
| ## leaning against | |
| * socket groups - Android already has a similar kernel feature for the network permission | |
| * all of the chroot hardening features - Android doesn't use chroots for anything | |
| * SYMLINKOWN - not really any use case where it wouldn't break everything | |
| * KMEM - likely redundant due to SELinux | |
| * IO - likely redundant due to SELinux | |
| * RAND_THREADSTACK - similar mitigation can be done in libc, although the signal can be handled | |
| ## incompatible and/or unnecessary | |
| * KERN_LOCKOUT - Android uses panic_on_oops | |
| * RBAC - not currently flexible enough, and Android is far too heavily invested in SELinux already | |
| * JIT_HARDEN - not ever going to be enabling the BPF JIT engine | |
| * MODHARDEN - Nexus devices do not use kernel modules | |
| * DMESG - implemented via dmesg_restrict and SELinux already | |
| * LINK - available via fs.protected_{hardlinks,symlinks} | |
| * BLACKHOLE - netfilter is always used anyway | |
| * SYSFS_RESTRICT - not flexible enough, and the SELinux policy for /sys is already very strict | |
| * PROC, PROC_{USER,USERGROUP}, PROC_ADD - already have hidepid and SELinux for this | |
| * HARDEN_IPC - Android doesn't enable System V IPC | |
| * VM86 - not going to be supporting any 32-bit x86 devices, or really any more 32-bit devices at all | |
| * ROFS - would be incompatible with external storage, and wouldn't provide much value since mount | |
| access is extremely limited while the kernel attack surface is huge | |
| * PROC_ADD - can use SELinux for finer-grained control: | |
| - buddyinfo | |
| - bus | |
| - bus/pci | |
| - kcore | |
| - cmdline | |
| - devices | |
| - interrupts - done | |
| - stat - done | |
| - config.gz - not present | |
| - ioports | |
| - iomem | |
| - sched_debug | |
| - timer_list - done | |
| - timer_stats - done | |
| - slabinfo | |
| - vmstat | |
| - pagetypeinfo | |
| # PaX | |
| * NOEXEC - not really meaningful anymore | |
| * PAGEEXEC - minor security benefits outside i386 (no signal handler call for NX violations) | |
| * SEGMEXEC - not relevant outside i386 | |
| * EMUTRAMP - not needed | |
| * EMUSIGRT - not needed | |
| * MPROTECT - needs to be ported to AArch64 | |
| * MPROTECT_COMPAT - not needed | |
| * ELFRELOCS - not needed | |
| * ETEXECRELOCS - not needed | |
| * EMUPLT - not needed | |
| * DLRESOLVE - not needed | |
| * KERNEXEC - needs to be ported to AArch64 (can use PXN) | |
| * ASLR | |
| * RANDKSTACK - needs to be ported to ARM and AArch64 | |
| * RANDUSTACK | |
| * RANDMMAP - needs to be ported to AArch64 | |
| * MEMORY_SANITIZE | |
| * MEMORY_STACKLEAK | |
| * MEMORY_STRUCTLEAK | |
| * MEMORY_UDEREF - needs to be ported to AArch64 for ARMv8 | |
| * REFCOUNT | |
| * CONSTIFY_PLUGIN | |
| * USERCOPY | |
| * SIZE_OVERFLOW | |
| * LATENT_ENTROPY - not really needed, already have hardware random number generators | |
| * RAP - needs to be ported to ARM and AArch64 | |
| ## Changes without configuration names (incomplete) | |
| * PaX stack gap |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment